With the development of computer and Internet technology, the importance of databases for efficiently storing a large quantity of data and easily and rapidly retrieving the stored data by using a desired search condition has increased. Current database systems permit numerous information to be stored and searched. Some of the information may include sensitive information such as credit card numbers, and the like.
In particular, the security of a database that collects and manages personal information in the financial sector, Internet portal sites, and the like is obligatorily required to protect an information processing service of a user having proper authority so as not to be rejected by a computer system and guarantee integrity, confidentiality, and availability of data in a database management system storing mass data, in order to prevent a user having no authority from obtaining or improperly writing information processed by a computer.
In recent years, information leakage by exposure of an encryption key by a server administrator or a developer of a database has been a serious problem. That is, with a gradual increase of the degree of information integration, the quantity of information accumulated in a database that exists in an enterprise has increased in proportion thereto, and as a result, when client information (residential registration numbers, phone numbers, account numbers, and the like) contained in a client information database managed by a communication company leaks through an illegal route, the ripple effect from the damage has become huge.
The leakage of the data may occur due to hacking by a hacker outside the enterprise, physical access to a data storage space, and the like, but most information leakage substantially occurs due to an internal person (for example, a database administrator) having a valid access authority to the database and information leakage due to an internal person may cause more serious and critical damage than a hacking accident which occurs from outside.
The prior art that administrates database security restricts access to specific information by a specific user by using an access control scheme prescribed in a security profile allocated to respective clients. The technology may prevent a client from accessing unlicensed information. However, the prior art has a disadvantage in that an illegal action of an internal person (for example, database administrator) having proper access authority or a person having OS privilege cannot be prevented.